SSHStalker Botnet Compromises 7,000 Linux Servers by Breaking SSH Authentication
Image: www.noticiasneo

SSHStalker Botnet Compromises 7,000 Linux Servers by Breaking SSH Authentication

07 July, 2026.Technology and Science.9 sources

Key Takeaways

  • SSHStalker compromised 7,000 Linux servers via weak SSH authentication
  • Campaign exploited unpatched Linux vulnerabilities dating back to 2009
  • About 50% of affected servers were in the United States

SSHStalker targets Linux

A botnet called SSHStalker, named by Flare Systems, compromised 7 000 Linux servers by breaking their SSH authentication, with the campaign enrolling machines including exploits targeting Linux vulnerabilities from 2009.

In the brief history of AI security, the prompt injection has quickly become the top threat

Ars TechnicaArs Technica

Le Monde Informatique says the botnet “compromet 7000 serveurs dont la moitié sont situés aux Etats-Unis,” and it describes a “kit de botnet assemblé” that can execute malwares, rootkits, log cleaners, and a wide range of kernel exploits.

Image from Ars Technica
Ars TechnicaArs Technica

The same report says SSHStalker collects AWS credentials and is capable of launching DDoS attacks and crypto-mining, while Flare’s researchers said it has “mené « une opération à grande échelle qui privilégie la fiabilité à la discrétion ».”

In the immediate defensive guidance, Assaf Morag of Flare told Le Monde Informatique that the “bonne nouvelle pour les RSSI” is that disabling SSH password authentication and replacing it with SSH key authentication can stop this particular botnet.

Chris Cochran, RSSI and vice-president of AI security at the SANS Institute, warned in Le Monde Informatique that “Autoriser encore l'accès SSH par mot de passe en 2026, c’est comme inviter les botnets à entrer dans ses systèmes.”

Mycelium sells AI compute

On the dark web, Flare identified an underground advertisement for the Mycelium Framework that it described as the first botnet marketed as an “AI-as-a-Service” rather than a traditional attack tool.

CyberSecurityNews reports that Mycelium is sold as a package for breaking into machines and renting out their computing power, and it says the framework claims to check each device for processing power, graphics chips, stored passwords, and active AI accounts.

Image from Brief IA
Brief IABrief IA

GBHackers News adds that the post positions Mycelium as an AIaaS botnet with an IRC-based encrypted command-and-control channel, and it describes a “capability-aware” system that routes workloads like inference, cracking, reconnaissance, exploit development, and social engineering to nodes based on CPU, GPU, local models, and stolen API keys.

Flare researchers told GBHackers News that Mycelium is the first underground offering observed that “explicitly positions a botnet as an AI-as-a-Service platform rather than simply a tool for DDoS, spam, ransomware deployment, or credential theft.”

Clubic frames the same concept as a stage in cybercrime where “Hacked PCs to Run AI?” and says Mycelium would organize compromised machines to run AI-related tasks, including generating highly personalized phishing content.

Broader AI threat surface

Beyond botnets that target SSH, Ars Technica describes a prompt-injection attack named HalluSquatting that researchers say can assemble massive botnets, perform large-scale DDoSes, and infect devices at scale.

Flare spotted on the dark web a new kind of botnet offer

ClubicClubic

Ars Technica says HalluSquatting works against AI coding assistants and agents including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw, and it explains the attack “works against AI coding assistants and agents” by exploiting how they pull code and resources from repositories and registries.

The Ars Technica account says the attack is “Short for adversarial hallucination squatting,” and it describes predicting the resource identifiers LLMs are likely to hallucinate and seeding them with instructions to install reverse shells or other malicious wares.

In parallel, www.noticiasneo reports that Chinese authorities detected a “puerta trasera” vulnerability in autonomous coding platforms developed in the United States, allowing sensitive information to be sent to remote servers without user consent, including location and identity data.

Le Monde Informatique’s SSHStalker reporting ties the broader theme to basic hygiene, with Chris Cochran saying the campaign proves “les vieilles astuces fonctionnent toujours,” and urging security leaders to stop relying on SSH password access and instead implement measures like key-based authentication.

More on Technology and Science